Oblong Chiffon Mole
Medium
The _requestWithdraw
and _claimWithdrawals
functions in the LidoVault
contract lack sufficient validation checks, which can lead to failed withdrawal requests and unclaimed funds.
_requestWithdraw
Issue: Insufficient validation of withdrawal amounts.
1137: function _requestWithdraw(address user, uint256 stETHAmount) internal returns (uint256[] memory) {
1138: unlockReceive = true;
1139: require(stETHAmount >= MIN_STETH_WITHDRAWAL_AMOUNT, "WM");
---
1142: bool approved = lido.approve(address(lidoWithdrawalQueue), stETHAmount);
1143: require(approved, "AF");
---
1145: uint256[] memory amounts = calculateWithdrawals(stETHAmount);
---
1148: uint256[] memory requestIds = lidoWithdrawalQueue.requestWithdrawals(amounts, address(this));
1149: require(requestIds.length > 0, "IWR");
---
1151: emit WithdrawalRequested(stETHAmount, requestIds, user);
---
1153: unlockReceive = false;
1154: return requestIds;
1155: }
The function does not validate if the withdrawal amount exceeds the maximum allowed per request or if the user has sufficient stETH balance. This can lead to failed requests.
_claimWithdrawals
Issue: Lack of validation to ensure all withdrawal requests are processed correctly.
1168: function _claimWithdrawals(address user, uint256[] memory requestIds) internal returns (uint256) {
1169: unlockReceive = true;
1170: uint256 beforeBalance = address(this).balance;
---
1174: for (uint i = 0; i < requestIds.length; i++) {
1175: lidoWithdrawalQueue.claimWithdrawal(requestIds[i]);
1176: }
---
1178: uint256 withdrawnAmount = address(this).balance - beforeBalance;
1179: require(withdrawnAmount > 0, "IWA");
---
1181: emit WithdrawalClaimed(withdrawnAmount, requestIds, user);
---
1183: unlockReceive = false;
1184: return withdrawnAmount;
1185: }
The function assumes all requests are successfully processed without validating each claim's success. If a claim fails, it may not be detected, leading to unclaimed funds.
Without proper validation, funds may remain unclaimed, causing discrepancies in expected vs. actual balances.
- https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L1137-L1155
- https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L1168-L1185
Manual Review
_requestWithdraw
- Validate both minimum and maximum withdrawal amounts.
- Check the user's stETH balance before processing the request to ensure they have sufficient funds.
_claimWithdrawals
- Add checks to ensure each withdrawal claim is successful.
- Implement retry mechanisms or logging for failed claims to track and address issues.